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Abstract 

Universal hashing, discovered by Carter and Wegman in 1979, has many important 
applications in compnter science. MMH*, which was shown to be A-universal by Halevi 
and Krawczyk in 1997, is a well-known universal hash function family. We introduce a 
variant of MMH*, that we call GRDH, where we use an arbitrary integer n > 1 instead 
of prime p and let the keys x = (xi,..., Xk) € satisfy the conditions gcd(xi, n) = ti 
(1 < z < fe), where ti,... ,tk are given positive divisors of re. Then via connecting the 
universal hashing problem to the number of solutions of restricted linear congruences, 
we prove that the family GRDH is an e-almost-A-universal family of hash functions 
for some e < 1 if and only if re is odd and gcd(xj, re) = ti = 1 {1 < i < k). Furthermore, 
if these conditions are satisfied then GRDH is ^^-almost-A-universal, where p is the 
smallest prime divisor of re. Finally, as an application of our results, we propose an 
authentication code with secrecy scheme which strongly generalizes the scheme studied 
by Alomair et al. [J. Math. Cryptol. 4 (2010), 121-148], and [J.UCS 15 (2009), 2937- 
2956]. 

Keywords: Universal hashing; authentication code with secrecy; restricted linear con¬ 
gruence 


1 Introduction 

Universal hash functions, discovered by Carter and Wegman m, have many applications in 
computer science, including cryptography and information security [101 El El El El El 
l38l 1491 [50] . pseudorandomness [HI [36], complexity theory [iQl |15], randomized algorithms 
[231134] , data structures [3711111, and parallel computing [25l [29]. Since universality of hash 
functions and its variants are concepts central to this work, we begin by describing them in 
detail. Our description of these concepts closely follows the definitions given in [TB] . 

*We have presented an extended abstract of this paper [9] in ISITA 2016. 
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1.1 Universal hashing and its variants 

Let D and R be finite sets. Let H he & family of functions from domain D to range R. We 
say that H is a. universal family of hash functions m) if the probability, over a random 
choice of a hash function from H, that two distinct keys in D have the same hash value is at 
most That is, universal hashing captures the important property that distinct keys 

in D do not collide too often. Furthermore, we say that H is an e-almost-universal (e-AU) 
family of hash functions if the probability of collision is at most e, for |^ < e < 1. In other 
words, an e-AU family, for sufficiently small e, is close to being universal; see Definition ll.il 
below. Universal and almost-universal hash functions have many applications in algorithm 
design. For example, they have been used to provide efficient solutions for the dictionary 
problem in which the goal is to maintain a dynamic set that is updated using insert and 
delete operations using small space so that membership queries that ask if a certain element 
is in S can be answered quickly. 

Motivated by applications to cryptography, a notion of A-universality was introduced in 
EH SB]- Suppose that R is an Abelian group. We say that H is a A-universal family 
of hash functions if the probability, over a random h E H, that two distinct keys in D 
hash to values that are distance b apart for any 6 in i? is l/|i?|. Note that the case 6 = 0 
corresponds to universality. Furthermore, we say that H is e-almost-A-universal (e-AAU) if 
this probability is at most e, |^ < e < 1. We remark that e-AAU families have applications 
to message authentication. Informally, it is possible to design a message authentication 
scheme using e-AAU families such that two parties can exchange signed messages over an 
unreliable channel and the probability that an adversary can forge a valid signed message 
to be sent across the channel is at most e ([l6]). Also, the well-known leftover hash lemma 
states that (almost) universal hash functions are good randomness extractors. 

Finally, in Section 0] on authentication codes with secrecy, we need the notion of strong 
universality which was introduced in [SO]- We say that H is a strongly universal family of 
hash functions if the probability, over a random choice of a hash function from iL, that two 
distinct keys x and y in D are mapped to a and b respectively is We say that H is 

e-almost-strongly-universal (e-ASU) if this probability is at most e, -j^ < £ < 

We now provide a formal definition of the concepts introduced above as in [16]. For a set 
A, we write a: •(— A to denote that x is chosen uniformly at random from A. 

Definition 1.1. Let iL be a family of functions from a domain D to a range R. Let e be 
a constant such that |^ < e < 1. The probabilities below, are taken over the random choice 
of hash function h from the set H. 

• The family H is a universal family of hash functions if for any two distinct x,y E D, 
we have Pr/i<_iy[h(a;) = h(y)] < |^. Also, H is an e-almost-universal (e-AU) family of 
hash functions if for any two distinct x,y E D, we have PTh-i-H[h{x) = h{y)] < e. 

• Suppose R is an Abelian group. The family H is a A-universal family of hash functions 

if for any two distinct x,y E D, and all b E R, we have — h{y) = b] = |^, 

where ‘ — ’ denotes the group subtraction operation. Also, H is an e-almost-A- 
universal (e-AAU) family of hash functions if for any two distinct x,y E D, and 
all b E R, we have PTh^H[h{x) — h{y) = b] < e. 
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• The family if is a strongly universal family of hash functions if for any two distinct 
x,y & D, and all a,h E R, we have PTh 4 ^H[h{x) = a, h{y) = b] = |^. Also, H is 
an £-almost-strongly universal (e-ASU) family of hash functions if for any two distinct 
x,y E D, and all a,b E R, we have PTh^H[h{x) = a, h{y) = &] < 

1.2 MMH* 

The hash function family we study, GRDH, is a variant of a well-known family which was 
named MMH* (Multilinear Modular Hashing) by Halevi and Krawczyk [16]. Let p be a 
prime and A; be a positive integer. Each hash function in the family MMH* takes as input 
a fc-tuple, m = (mi,... ,mk) E iJf. It computes the dot product of m with a fixed fc-tuple 
X = (xi,..., Xk) e Zp and outputs this value modulo p. 

Definition 1.2. Let p be a prime and fc be a positive integer. The family MMH* is defined 
as follows: 


MMH* := {g^ : Zj ^ | x G Zj}, (1.1) 

where 

k 

Px(m):=ni-x (mod p) = m^Xi (mod p), (1.2) 

for any x = (xi,..., Xk) E Z^, and any m = (mi,..., mk) E iJf. 

The family MMH* is widely attributed to Carter and Wegman m, while it seems that 
Gilbert, MacWilliams, and Sloane na had already discovered it (but in the finite geometry 
setting). Halevi and Krawczyk [16], using the multiplicative inverse method, proved that 
MMH* is a A-universal family of hash functions. We also remark that, recently, Leiserson et 
ah [29] rediscovered MMH* (called it “DOTMIX compression function family”) and using the 
same method as of Halevi and Krawczyk [16] proved that DOTMIX is A-universal. Then 
they apply this result in studying the problem of deterministic parallel random-number 
generation for dynamic multithreading platforms in parallel computing. 

Theorem 1.3. f [TBl [29] 1 The family MMH* is a A-universal family of hash functions. 

Very recently, it was proved that MMH* with arbitrary modulus is always almost- 
universal [6]. 

1.3 Our contributions 

Suppose that, instead of a prime p, one uses an arbitrary integer n > 1 in the definition 
of MMH*. Additionally, we ask that the keys x = (xi,... ,Xk) E Z^ satisfy the conditions 
gcd(xj, n) = ti (1 < i < k), where R,... ,tk are given positive divisors of n. We call this new 
family GRDH and refer the reader to Section [3] for a formal definition. 

Many natural questions arise: What can we say about universality (or £-almost-universality) 
of GRDH? What can we say about A-universality (or e-almost-A-universality) of GRDH? 
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Recently, Alomair, Clark, and Poovendran [T] presented a construction of codes with secrecy 
based on a universal hash function family that is a special case of GRDH. Is it possible to 
generalize their construction and analyse its security properties? 

• In Theorem 13.31 we prove that if n, fc > 1 then the family GRDH is an e-AU family of 
hash functions for some £ < 1 if and only if n is odd and gcd(a:j, n) = ti = 1 {1 < i < k). 
Furthermore, if these conditions are satished then GRDH is ^j^-AU, where p is the 
smallest prime divisor of n. This bound is tight. 

• In Remark 13.41 we conclude (from the idea of the proof of Theorem 13.311 that if /c = 1 

then the family GRDH is an e-AU family of hash functions for some e < 1 if and only 
if gcd(xi,n) = = 1. Furthermore, if gcd(a:i,n) = ti = 1 (that is, if xi G Z*) then 

the collision probability for any two distinct messages is ‘exactly zero’. 

• In Theorem 13.51 we show that if n > 1 then the family GRDH is an e-AAU family of 
hash functions for some £ < 1 if and only if n is odd and gcd(a:j, n) = ti = 1 {1 < i < k). 
Furthermore, if these conditions are satished then GRDH is ^^-AAU, where p is the 
smallest prime divisor of n. This bound is tight. 

• In Theorem 14.21 we generalize the construction of authentication code with secrecy 
presented in [UlS]. Using Theorem l3.51 we show that our construction is a 
authentication code with secrecy for equiprobable source states on \ {0}, where n 
is odd, and p is the smallest prime divisor of n. 

Our results show that if one uses a composite integer n in the dehnition of MMH* then 
even by choosing the keys x = {xi,... ,Xk) from Z*^, or more generally, choosing the keys 
X = {xi,... ,Xk) from Z^ with the general conditions gcd(a:j,n) = U (1 < i < k), where 
ti,... ,tk are given positive divisors of n, we cannot get any strong collision bound (unless 
k = 1 and gcd(a:i,n) = fi = 1; in this case, as we mentioned above, the collision probability 
for any two distinct messages is ‘exactly zero’). Such impossibility results were not known 
before. 

The main technique in proving the hashing results is connecting the universal hashing 
problem to the number of solutions of restricted linear congruences, which we believe is 
a novel idea and could be also of independent interest. We use an explicit formula for 
the number of solutions of restricted linear congruences, recently obtained by Bibak et al. 
[H], using properties of Ramanujan sums and of the hnite Fourier transform of arithmetic 
functions, that we will review in Section |2l We believe that this is the hrst paper that 
introduces applications of Ramanujan sums, hnite Fourier transform, and restricted linear 
congruences in the study of universal hashing. We hope this approach will lead to further 
work. 


2 Restricted linear congruences 

Throughout the paper, we use (oi,..., a^) to denote the greatest common divisor (gcd) of 
the integers ai,... ,ak, and write {ai,..., a^) for an ordered fc-tuple of integers. Also, for 
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a G Z \ {0}, and a prime p, we use the notation p'” 11 a if p'' | a and \ a. We also use 0 
to denote the vector of all zeroes. The multiplicative group of integers modulo n is denoted 
by Z*. 

Let ai,..., Ofc, 6, n G Z, n > 1. A linear congruence in k unknowns xi,..., is of the 
form 

aiXi + ■ ■ ■ + ttkXk = b (mod n). (2.1) 

By a solution of fl2.ip . we mean an x = {xi,... ,Xk) G that satishes fl2.ip . The following 
result, proved by D. N. Lehmer [2H], gives the number of solutions of the above linear 
congruence: 

Proposition 2.1. Let Oi,..., a^, 6, n G Z, n > 1. The linear congruence aiXi + - ■ ■+akXk = b 
(mod n) has a solution {xi,... ,Xk) G Z^ if and only if i \ b, where i. = (oi,..., a^,n). 
Furthermore, if this condition is satisfied, then there are solutions. 

The solutions of the above congruence may be subject to certain conditions, such as 
{xi,n) = ti {1 < i < k), where ti,...,tk are given positive divisors of n. The number 
of solutions of this kind of congruence, which were called restricted linear congruences in 
[8], have been studied, in special cases, in many papers and have found very interesting 
applications in number theory, combinatorics, and cryptography, among other areas (see 
[H [121 Uni IMl EHl ESI [35l im 021 03 mi)- Recently, Bibak et ah [8] dealt with the problem 
in its ‘most general case’ and using properties of Ramanujan sums and of the hnite Fourier 
transform of arithmetic functions gave an explicit formula for the number of solutions of the 
restricted linear congruence 

aiXi + • • • + OkXk = b (mod n), (xj, n) = ti {1 <i < k), (2.2) 

where ai,ti,... ,ak,tk,b,n {n> 1) are arbitrary integers. 

The special case of /c = 2, a* = 1, = 1 (1 < i < fc) of (12.21) is related to a long¬ 

standing conjecture due to D. H. Lehmer from 1932. Also, the special case of 6 = 0, a* = 1, 
ti = —, rui \ n {1 < i < k) is related to the orbicyclic (multivariate arithmetic) function 
([30]), which has very interesting combinatorial and topological applications, in particular, 
in counting non-isomorphic maps on orientable surfaces. See [S] for a detailed discussion 
about restricted linear congruences and their applications. 

If in fl2.2l) one has a* = 0 for every 1 < i < k, then clearly there are solutions (xi,..., Xk) if 
and only if 6 = 0 (mod n) and ti \ n {1 < i < k), and in this case there are (p{n/ti) ■ ■ ■ (p{n/tk) 
solutions. 

Consider the restricted linear congruence fl2.2p and assume that there is an zq such that 
Ojg 7^ 0. For every prime divisor p oi n let be the exponent of p in the prime factorization 
of n and let trip = mp{ai,ti,... ,ak,tk) denote the smallest j > 1 such that there is some i 
with p^ \ aFi- There exists a hnite trip for every p, since for a sufhciently large j one has 
P^ t Furthermore, let 

Cp = ep(ai,ti,.. .,ak,tk) = #{z : 1 < z < f aiU}. 

By dehnition, 1 < Cp < the number of z such that a* ^ 0. Note that in many situa¬ 
tions instead of mp(ai, ti,..., Ok, tk) we write trip and instead of ep(ai, fi,..., Ok, tk) we write 
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Cp for short. However, it is important to note that both trip and Cp always depend on 
Ol, ti, . . . , (Ik) tk) P- 

Theorem 2.2. ([ 8 ]) Let Qi, ti,b,n & n > 1, ti \ n {1 < i < k) and assume that a* 7 ^ 0 for 
at least one i. Consider the linear congruence aiXi + - ■ ■ + akXk = b (mod n), with {xi, n) = ti 
{1 < i < k). If there is a prime p \ n such that m.p < rp and p'^p~^ \ b or xxip > rp + 1 and 
p'^p \ b, then the linear congruence has no solution. Otherwise, the number of solutions is 




{p — iYp~^ 



{p-iyp) ’ 


(2.3) 


where the last two products are over the prime factors p of n with the given additional 
properties. Note that the last product is empty and egual to 1 ifb = 0. 

Formula fl2.3p will be the core for the applications to universal hashing that we present 
in this paper. 

Corollary 2.3. ([8]) The restricted congruence given in Theorem \2.^ has no solutions if and 
only if one of the following cases holds: 

(i) there is a prime p \ n with trip < rp and p^p-^ | b; 

(a) there is a prime p \ n with trip > rp + 1 and p^p \ b; 

(Hi) there is a prime p \ n with rUp < Vp, Cp = 1 and p^p \ b; 

(iv) n is even, m 2 <r 2 , 62 is odd and 2 "^^ | jj- 

(v) n is even, m 2 < r 2 , 62 is even and || b. 

Corollarv l2.3l is the only result in the literature which gives necessary and sufficient condi¬ 
tions for the (non-)existence of solutions of restricted linear congruences in their most general 
case and might lead to interesting applications/implications. For example, Corollary 12.31 can 
be considered as relevant to the generalized knapsack problem. The knapsack problem is 
of signihcant interest in cryptography, computational complexity, and several other areas. 
Micciancio [33] proposed a generalization of this problem to arbitrary rings, and studied its 
average-case complexity. This generalized knapsack problem, proposed by Micciancio [33], is 
described as follows: for any ring R and subset S (Z R, given elements ai,... ,ak E R and a 
target element b E R, hnd (xi,..., Xk) E such that cbi' Xi = b, where all operations 
are performed in the ring. Interestingly, Corollary 12.31 helps us to deal with this problem in 
a quite natural case: 

Remark 2.4. The generalized knapsack problem with R = 'Ln o^'i^d S' = Z* has no solutions 
if and only if one of the cases of Corollarv \2.d\ holds. 

Theorem 12.21 has also important applications in combinatorics, geometry, string theory, 
and quantum held theory (QFT) [5], for example, it is related to the Harvey’s famous theorem 
on the cyclic groups of automorphisms of compact Riemann surfaces [51EQ]. 
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3 GRDH 


In this section, we introdnce a variant of MMH* that we call GRDH (Generalized Re¬ 
stricted Dot Prodnct Hashing). Then we investigate the e-alniost-universality and £-almost- 
A-universality of GRDH via connecting the problem to the nnmber of solutions of restricted 
linear congruences. 

Definition 3.1. Let n and k be positive integers (n > 1). We define the family RDH as 
follows: 

RDH ;= {Tx : ^ : X e Zf}, (3.1) 

where 

k 

Tx(ni) := m ■ X (mod n) ='^^rriiXi (mod n), (3-2) 

i=l 

for any x = (xi,..., Xk) G Z*^, and any m = (mi,..., m^) G Z^. Suppose that fi,..., 4 
are given positive divisors of n. Now, if in the dehnition of RDH instead of having x = 
(xi,..., Xk) G Z*^, we have, more generally, x = (xi,..., Xk) G Z^ with (xj, n) = U (1 < i < 
k), then we get a generalization of RDH that we call GRDH. 

It would be an interesting question to investigate for which values of n, GRDH is e-AU or 
£-AAU. We now deal with these problems. The explicit formula for the number of solutions 
of restricted linear congruences (Theorem 12.2p plays a key role here. 

First, we prove the following lemma which is needed in proving the hashing results. 

Lemma 3.2. Let k and n be positive integers (n > 1). For every prime divisor p of n let rp 
be the exponent of p in the prime factorization of n. Also, suppose that ti,... ,tk are given 
positive divisors ofn. There are the following two cases: 

(i) If there exists some 4 such that ti^ ^ 1 then there exists a = (oi,..., Ok) G Z^ \ {0} such 
that for every prime p\n we have mp(ai, ti,..., Ofc, tfc) > 4 . 

(a) If ti = 1 (I < i < k) then for every a = (oi,..., Ok) G Z^ \ {0} there exists at least one 
prime p \ n such that mp(ai,..., Ok) < rp. 

Proof, (i) WLOG, let ti 7 ^ 1, say, ti = t with t \ n and t > 1. Take Oi = j and 02 = ■ ■ • = 
Ok = 0. Now, for every prime p | n we have p'^^ \ Oiti (I <i <k). Therefore, for every prime 
p I n we have mp( j, f, 0,4, • • •, 0 ,4) > fp- 

(a) Let 4 = 1 (I <i <k) and a = (oi,..., a^) G Z^ \ {0} be given. Suppose that for every 
prime p | n we have mp(ai,..., a^) > rp. This implies that for every prime p | n we have 
p^p \ Oi (1 < i < k). Therefore, we get n \ Oi (1 < i < k) which is not possible because there 
exists some i such that Oi ^ Zn \ { 0 }. □ 

Now, we are ready to investigate the e-almost-universality of GRDH. 

Theorem 3.3. Let n and k be positive integers {n,k > 1). The family GRDH is an e- 
AU family of hash functions for some e < 1 if and only if n is odd and (xi,n) =4 = 1 
(1 < i < k). Furthermore, if these conditions are satisfied then GRDH (which is then 
reduced to RDH) is ^^-AU, where p is the smallest prime divisor ofn. This bound is tight. 
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Proof. Assume the setting of the family GRDH, and that t = (ti,..., is given. Let n > 1 
and for every prime divisor p of n let Vp be the exponent of p in the prime factorization 
of n. Suppose that m = {mi,... ,mk) G and m' = {m'l,... G are any two 
distinct messages. Put a = (oi,..., a^) = m — m'. Since m 7 ^ m', there exists some i 
such that Qi 7 ^ 0. If in the family GRDH there is a collision between m and m', this means 
that there exists an x = {xi,... ,Xk) G Z^ with {xi,n) = ti, it \ n {1 < i < k) such that 
Tx(m) = Tx(m'). Glearly, 

k 

Tx(m) = Tx(m') = 0 (mod n). 

i=l 

So, we need to hnd the number of solutions x = (xi,... ,Xk) G Z^ of the restricted linear 
congruence aiXi + • • • + auXk = 0 (mod n), with {xi,n) = U, U \ n {1 < i < k). Here, since 
b = 0, none of the two cases stated in the hrst part of Theorem 12.21 holds. Thus, by formula 
fl2.3p . there are exactly 



lUp < Tp 


choices for such x = {xi,... ,Xk) G Z^ that satisfy the aforementioned restricted linear 
congruence, where the last product is over the prime factors p of n with trip < Vp, Vp is the 
exponent of p in the prime factorization of n, trip is the smallest j > 1 such that there is 
some i with p^ \ Oiti, and 

Cp = #{* : 1 < i < k,p^p t«A}- 

Also, since {xi, n) = ti {1 < i < k), the total number of choices for (xi,..., Xk) is Y\a=i 
Therefore, given any a = (oi,..., a^) G Zj( \ {0}, the collision probability is exactly 


^a(n, t) = p""^ ^ 

p|n 
rrip < Tp 



{p — iyp~^ j 


(3.4) 


Now, there are two cases: 

(i) If for a prime p | n we have rrip < Vp then, by fl3.4p . the term corresponding to this p in 
Pa{n,t) equals 


p 


tnp-rp-l 


{p — / 


<P 


(p-1)2-1; 


1 

p —1 


If for a prime p | n we have rUp > Vp then, by (I3.4p . the term corresponding to this p in 
P’a(n, t) equals 1 . 

Let there exists some io such that tjg 7 ^ 1. Then, by Lemma l3.2f i). there exists a = 
(oi, ..., Qk) G Z^ \ {0} such that for every prime p | n we have mp(ai, fi ,... ,ak, tk) > Vp. 
Now, by fl3.4p and case (ii) above, the collision probability for this specihc a is exactly one. 















Now, assume that U = 1 {1 < i < k). Then, if n is even, by taking oi = 02 = | and 
03 = • • ■ = Ofc = 0 , one can see that tn 2 (|, 0 ,..., 0 ) = r 2 and 62 = 2, and for every other 

prime p | n we have tnp(^, 0,..., 0) > Vp. Now, by (13.4^ and case (ii) above, the collision 
probability for this specific a is exactly one. 

Now, suppose that n is odd and ti = 1 {1 < i < k). Then, by Lemma iT^ ii). for every 
a = (oi,..., Ofc) G Z^\{0} there exists at least one prime p \ n such that mp(ai,..., a^) < 
Now, by (13-dp and cases (i), (ii) above, one can see that 


max Pg^{n,t) 

a=m—m'GZ^\{0} 


is achieved in a specihc a = (oi,..., a^) G \ {0} for which there exists exactly one prime 
p I n such that trip(oi,..., au) < Vp, and furthermore, p has to be the smallest prime divisor 
of n that we denote by Pmin- 

Consequently, if n is odd and {xi,n) = ti = 1 (1 < i < k) then for any two distinct 
messages m, m' G Z^, we have 


P^Tx^GROH [T('x(m) 


Tx(m')] < max Pg^{n,t) < - 

a=m-m'GZfc\{0} Pmin 



Therefore, if n is odd and {xi,n) = ti = 1 {1 < i < k) then GRDH (which is then reduced 
to RDH) is —P^t-AU. We also note that this bound is tight: take Oi = 02 = and 

03 = • • • = Ofc = 0. So, we get that m„ . 0,..., 0) = Xp . and Cp . = 2 , and for 

P’min Pmin T’min /^mm 

every other prime p I n we get that mp(-^, 0,..., 0) > Xp. Now, by (13.4p and case (ii) 

above, the collision probability for this specific a is exactly ^ < |. □ 

The following remark gives a necessary and sufficient condition for the £-almost-universahty 
of the family GRDH in the case of A: = 1. We omit the proof as it is simply obtained from 
the above argument (this special case can be also proved directly, or, from [HI Th. 3.1]). 

Remark 3.4. If k = 1 then the family GRDH is an £-AU family of hash functions fox some 
e < 1 if and only if (xi,n) = ti = 1. Fuxthexmoxe, if (xi,n) = = 1 then the collision 

pxobability fox any two distinct messages is ‘exactly zexo’. 

Now, we investigate the e-almost-A-universality of GRDH. Note the change from A: > 1 
in Theorem 13.31 to A: > 1 in Theorem 13.51 The proof idea is similar to that of Theorem 13.31 
so, in the proof we only write the parts which need more arguments. 

Theorem 3.5. Let n and k be positive integexs (n > 1). The family GRDH is an e-AAU 
family of hash functions fox some e < 1 if and only ifn is odd and (x*, n) = = 1 (1 < i < A:). 

Fuxthexmoxe, if these conditions axe satisfied then GRDH {which is then xeduced to RDH) 
is ^^-AAU, whexe p is the smallest pxime divisox of n. This bound is tight. 

Pxoof. Assume the setting of the family GRDH, and that t = (ti,..., is given. Let n > 1 
and for every prime divisor p of n let Xp be the exponent of p in the prime factorization of 
n. If for a given a = (oi,..., a^) G Z^ \ {0} and a given b E Zn there is a prime p | n 
such that rrip < Xp and p’"p“^ j b, or, such that trip > rp + 1 and p^^ f b, then, by the first 
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part of Theorem 12.21 the probability that we have Tx(m) — Tx(m') = b is exactly zero. 
Otherwise, given any a = {ai,, a^) E lJ^\ {0} and any h e Z„, the probability that we 
have Tx(m) — Tx(m') = 6 is exactly 


p\n 
ITlp < Tp 

p'^p I b 


{p — 




{p-iypj ■ 


(3.5) 


Now, there are three cases: 

(i) li for a prime p | n we have rrip < Vp and p"'p~^ 11 b then, by fl3.5p . the term corresponding 
to this p in Qa,b{n, t) equals 


P 


trip—rp—1 



{p-iypj 


< pPp-rp-l 


(p-iy) 


1 

p-i 


(ii) If for a prime p | n we have trip < Vp and p"’’’ | b then, by (I3.5p . the term corresponding 
to this p in Qa,b{n^t) equals 


P 


iTip—rp—1 


(p — ) 


< pr^-rp-^ 


(p-1)2-1; 


1 

p — 1 


(in) If for a prime p | n we have trip > Vp and p^^ | b then, by fl3.5p . the term corresponding 
to this p in Qa,b{n,t) equals 1. 

If there exists some zq such that ti^ ^ 1 then the argument is exactly the same as before 
(just take 6 = 0). Now, assume that ti = 1 (1 < * < /c). Then, if n is even, take Oi = 6 = | 
and 02 = • • • = Ofc = 0. Now, one can see that, by (13.51) and case (iii) above, the probability 
that we have Tx(m) — Tx(m') = b for these specihc a and b is exactly one. 

Now, suppose that n is odd and tt = 1 {I <i < k). Then, by (13.51) . Lemma IT^ ii). and 
cases (i), (ii), (iii) above, one can see that 


max 

a=m-m'eZ^\{0} 

b^ljn 


f ) 


is achieved in a specihc a = (oi,..., a^) G Z^\{0} and a specihc b E Zn for which there exists 
exactly one prime p | n such that mp(ai,..., Ok) < Vp and p"'p-i || b, or, mp(ai,..., a^) < Vp 
and p™p I b, and also p^^ | b for every other prime p | n; furthermore, p has to be the smallest 
prime divisor of n that we denote by Pmin- 

Consequently, if n is odd and {xi,n) = ti = 1 {1 < i < k) then for any two distinct 
messages m, m' G Z^, and all 6 G Z„, we have 


Pi'Tx^GRDH[Tx(m) - Tx(m') = b]< max Qa,bin,t) < - 

a=m-m'GZ^\{0} Pmin ~ 



Therefore, if n is odd and {xi,n) = ti = 1 {1 < i < k) then GRDH (which is then reduced 
to RDH) is —f^Y-AAU. We also note that this bound is tight: take ai = b = and 
02 = ■ ■ ■ = ttk = 0. Now, by (13.5p and case (iii) above, one can see that the probability that 
we have Tx(m) — Tx(m') = b for these specihc a and b is exactly D 
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Remark 3.6. While the proofs of Theorem \3.3\ and Theorem \3.5\ are simple thanks to The- 
orem lK^ but there may be other simpler proofs (say, without relying on the counting argu¬ 
ments as we do) for these results. However, given the general statements of Theorem \3.3\ and 
Theorem \3.,5\ possible simpler proofs for these results which cover the ‘whole’ statements may 
not be necessarily that shorter. Besides, we believe that our proof technigues have their own 
merit and these connections and technigues may motivate more work in universal hashing 
and related areas. 

Remark 3.7. If in Theorem. 1,9. ,51 we let k = 1, then we get the main result of the paper by 
Alomair et al. |2l Th. 5.11] which was obtained via a very long argument. 

Remark 3.8. Using Theorem \2.2\ and the idea of the proof of Theorem A3.3 one can see that 
there are cases in which the collision probability in the family GRDH is ‘exactly zero’ (Corol¬ 
lary \2fE completely characterizes all these cases). This can be considered as an advantage 
of the family GRDH and is not the case in the family MMH*, as the collision probability in 
MMH* is always exactly ^ which never vanishes. 


4 Applications to authentication with secrecy 


As an application of the results of the preceding section, we propose an authentication code 
with secrecy scheme which generalizes a recent construction HlEl. We remark that Alomair 
et al. have applied their scheme in several other papers; see, e.g., [2] for an application of 
this approach in the authentication problem in RFID systems. So, our results may have 
implications in those applications, as well. We adopt the notation of [21] in specifying the 
syntax of these codes. In particular, we consider key-indexed families of coding rules. 

An authentication code with secrecy (or code for short) is a tuple G = (S, A4, /C, T,V), 
specihed by the following sets: S of source states (or plaintexts), Ai of messages (or cipher- 
texts), /C of keys, £ of authenticated encryption (AE) functions and V of verified decryption 
functions. The sets S and V are indexed by /C. For k E IC, £k '. S ^ Ai is the associated au¬ 
thenticated encryption function and : AT —> iSU{T} is the associated verihed decryption 
function. The encryption and decryption functions have the property that for every m E S, 
Dfc(£’fc(m)) = m. Moreover, for any c E Ai, if c ^ £k{'i^) for some m E S, T>k{c) = T. 

Before presenting our construction, we hrst note that although it is not explicitly stated 
in in El. the construction given there is correct only for the case of a uniform distribution 
on source states. This will be the case for our construction, as well. We note that this 
assumption, while unrealistically strong from a security perspective, is commonly used in the 
study of authentication codes with secrecy. Following the terminology of [21] (see also 1221 ), 
we will call such codes authentication and secrecy codes for eguiprobable source probability 
distributions. Henceforth we will work under the assumption of equiprobable source states. 

We now give the security dehnitions required for authentication and secrecy. We begin 
with a dehnition of secrecy. 


Definition 4.1. 

m E S' and c G Ai, 


We say that G = 
Pr 


m' ,k*^K. 


(S,Ai,/C, £, V) provides e-secrecy on S' S if every 
[m' = m\£k{m') = c\ < e. 
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Thus, i^-secrecy on S corresponds to the standard notion of Shannon secrecy [13] (for a 
uniform message distribution). 

With respect to authentication, we restrict attention to substitution attacks, also known 
as spoofing attacks of order 1. A C-forger is a mapping : M —>■ M. Note that there are 
no computational restrictions on We say that C is 6-secure against substitution attacks 
if for every C-forger iF, 


Pr [^(c)^cAPfc(^(c))^T]<5. 

m ■<—(5,/c ■<—/C, c ■<—ffc (m) 


Finally, we say that C is an e, 5-authentication code with secrecy for eguiprobable source states 
on S' if it is e-secret on S' and (5-secure against substitution attacks. 

For any n,k E N, we define as follows: iS = /C = x (Z* )^, Ad = Z^ x Z„. 

Thus, source states are /c-tuples m = (mi,... ,mk), keys are pairs (x, y) of /c-tuples x = 
(xi,..., Xk), y = {yi,... ,yk), and ciphertexts are pairs (c, t). 

Note that we will sometimes write pairs using the notation - I | - rather than the usual (•, •), 
e.g., we write a key pair as x||y. Also, we may abuse terminology, and for a ciphertext c||t, 
call c the ciphertext and t the tag. The authenticated encryption function S is defined as 
follows: 

^x||y(m) = Tx(m)||Ty(m), 

where T is the RDH hash function, and 


To define P, we first define T 


- 1 . 




Then 


(mi xi 

(mod n),..., mfc -|- x^ 

(mod n)) 

(ci - Xi 

(mod n),... ,Ck - Xk 

(mod n)). 

^xHc) 

if Ty(T-Hc))=t; 


T 

otherwise. 



^x||y(c| |f) — 

Now, we are ready to state and prove our main result in this section: 


Theorem 4.2. Let n,k eN, where n is odd, and p the smallest prime divisor of n. Then 
^RDH ® (p_i)nfe-i ’ -^^-o^uthentication code with secrecy for eguiprobable source states on 

z‘\{0}. 

We will establish this theorem by the following sequence of lemmas. 


Lemma 4.3. Let n,k E N, where n is odd, and p the smallest prime divisor of n. Then 
Crdh (p_i}^fc-i -secret on \ {0}. 

Proof. We first note that for any m, c, and t, 


Pr [m' = m|£^x||y(m') = cl It] = Pr 


m 


= m|T, 


m 


= f]. 
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This follows from the independence of Tx(m') and Ty(m'), conditioned on m' = m, along 
with the fact that T provides Shannon secrecy. But 


Pr [m' = m|Ty(m') = t] = Pr [Ty(m') = t|m' = m]/n' 


fc-i 


< 


m'-!-Z^,y«-(Z*)'= 

1 

{p — ’ 


where the equality follows by Bayes’ rule and the fact that for m' <(— (Z„)^ and y ■(— 
Ty(m') is uniformly distributed in Z„, and the inequality follows, assuming m 7 ^ 0, by 
Theorem 13.51 □ 


We now establish a key hiding property which will be needed to prove resistance to 
substitution attacks. 

Lemma 4.4. For n, /c G y G (Z* c G Zjj and t G 

Proof. First note that since x and m are chosen independently of y', it is the case that 
\hx(m) and y' are independent. So we just need to show that 

.Pf .Jy'= y|'^y'(™) = ^] = ^ 


meZfc,y'e(Z*)'' 


|(z;)‘l 


Note that 


Pr [Ty/(m^ 

mezfc,y'e(z*)fc 


= t\y' = y] = Pr [Ty,(m) = t A y' = y]/ Pr Jy' = y] 

meZfc,y'G(Z*)'= y'GlZ*)*^ 

= Pr [Ty(m) =t^y' = y]/ Pr [y' = y] 

meZfc,y'G(Z*)P ^ y'6(Z*)P 

= Pr [Ty(m) = t]- Pr [y' = y]/ Pr Jy'= y] 
mezfc y'eCZ*)'* y'6(z*)'= 

= PL['Py(™) = ^] = 

rneZfc \£n\ 


where the last equality follows because the product of a uniformly random element of 
and a fixed element of Z* is uniformly distributed in Z„, and the sum of a fixed number of 
uniformly random elements of Z„ is uniformly distributed in Z„. We now have 


meZ‘i,y'G(Z*)'' 


Pr |T,,(m) = i|y' = yl- PVem.|y'-y| 

meZfc.y'gCZ*)*: Prnjg 2 fc^y/g(^*)fc[Ty/(m) —t] 


(4.1) 


But 




' m = t\ = 


mezfc,y'e(z*) 


“ mez^,y'e(z*y'GCZ*)*^ 
ye(z*)'= 


|Z^ 


Combining this with fld.ip completes the proof. 


□ 
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Remark 4.5. This key hiding property does not hold in general. The given proof depends 
on the fact that m is uniformly distributed in 

Lemma 4.6. Let n,k & N, where n is odd, and p the smallest prime divisor of n. Then 
^RDH -^^-secure against substitution attacks. 

Proof. By way of contradiction suppose that iF produces a substitution with probability 
greater than By averaging, there must be some m G Tff such that if £^x||y(m) = c||t, 
for random x and y, then J^(c||t) = c'||t' such that c'||t' 7 ^ c||t and Ty($“^)(c') = t!. Let 
b = t — t' and m' = ($“^)(c'). Note that it must be the case that m' 7 ^ m. By the preceding 
lemma, y and m' are statistically independent. So, 

Try(m) -Ty(m') = 6, 

for randomly chosen y G (Z*)^, violating that RDH is ^^-AAU by Theorem 13.51 □ 

4.1 Discussion 

The proposed scheme, which is a generalization of the scheme proposed in [U [3], is dehned 
using the encrypt-and-authenticate paradigm (see [a ET] and the references therein, for a 
detailed discussion about these generic constructions and their security analysis). Since this 
approach requires the decryption of a purported ciphertext before its authentication, it is sus¬ 
ceptible to attacks if the implementation of the decryption function leaks information when 
given invalid ciphertexts. Surprisingly, the preferred encrypt-then-authenticate approach will 
not work in our setting because it is not key-hiding. 

We now show that the assumption that messages are generated uniformly at random 
is necessary for our result, by showing that any authentication scheme achieving e-security 
against substitution attacks for arbitrary source distributions is in fact an e-ASU hash family. 
We begin with some dehnitions. 

Definition 4.7. A authentication code is specihed by a tuple M = (iS, T, /C, AT, V) where 
S is the set of source states, T is the set of tags, K, is the set of keys, AT ; /C x 5 —?■ T, and 
V ; /C X T —)■ {0,1}. It must be the case that for all A; G /C and m E S, Vfc(m| |ATfc(m)) = 1. 
A forger is a mapping F = {Fi, F 2 ) where Fi : S x T -E- S and F 2 '. S xT —)• T. We say 
M is e-secure against substitution attacks if for every forger F and distribution S on S, 

Pr [Fi{m,t) m AVk{F{m\\t)) = 1] < e. 

k<—K,m.i—sS 

Theorem 4.8. Suppose M = (5, T,/C, AT, V) is e-secure against substitution attacks. Then 
{ATfc \ k E K.} is an e-ASU hash function family. 

Proof. Suppose {AT^ | k E /C} is not an e-ASU hash family. So there are m' 7 ^ m" E S 
and t',t'' E T such that Prfc^^[ATfc(m") = t" A ATfc(m') = t'] > e. Take F such that 
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J-{m'\\t') = m"\\t", and let S be the distribution on S which puts all weight on m'. Then 


Pr t) 7 ^ m A Vfc(-F(m||t)) = 1] 


Pr 7 ^ m' A Vk{J^{m'\\t) = 1] 

k-i^IC 

= Pr 7 ^ m'A Vfc(-P'(m'||t) = l|t 

fc-s—/C 


t'] ■ Pr [t 

k-^K 


= Pr [Ti{m',t') ^m! /\ Vfc(-F(m'| |t') = 1 A Mk{m') = t'] 

k-<^K. 

= Pr [m" 7 ^ m' A M.k{m") = t" A M.k{rn') = t'] > e. 


A 


□ 
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